In general, implantable medical devices (IMDs) provide in situ therapy delivery, such as cardiac pacing and defibrillation, neural stimulation, and drug dispensing, and physiological data collection. IMDs are controlled and monitored through external programmers, programmer recorder monitors, repeaters, and equivalent devices, hereafter simply “programmers.” Conventionally, programmers exchange parametric and physiological data through inductive telemetry with the IMDs. Although limited to a range of about six inches, inductive telemetry facilitates safe and non-invasive data exchange. Moreover, patient consent and confidentiality are assured through the use of a wand placed in physical contact with the patient's body.
More recently, radio frequency (RF) telemetry has been adopted for IMD-programmer communication with longer ranges and higher bandwidth data exchange. The sweeping scope of recent medical information privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the European Privacy Directive, may affect patient privacy on IMDs with longer transmission ranges, such as provided through RF telemetry, and other unsecured data interfaces providing sensitive information exchange under conditions that could allow eavesdropping, interception or interference. As a result, RF telemetry requires additional safeguards to ensure that each programmer is properly authenticated prior to and during data exchange, such as described in commonly-assigned U.S. patent application Ser. No. 10/800,806, filed Mar. 15, 2004, pending, and U.S. patent application Ser. No. 10/801,150, filed Mar. 15, 2004, pending, the disclosures of which are incorporated by reference.
Until recently, programmers primarily functioned as stand-alone medical devices to store, view and process downloaded physiological data as patient histories and to reprogram IMDs with revised operational settings uploaded as parametric values. Limited data exchange with other programmers and external devices, such as personal computers, was historically provided through data diskettes storing the data in a proprietary format. Lately, though, programmers have increasingly included integrated external communication channels, including low speed serial modem connections and high speed network connections, which can provide interconnectivity to a centralized server respectively over standard telephone lines and wide area networks, such as the Internet.
The ability to interface programmers to IMDs at longer ranges through RF telemetry and to connect programmers to external devices outside the control of the health care practitioner has created the need to ensure the physical security of programmers, in addition to providing transmission security. For instance, a rogue programmer, such as obtained through theft, could be used to maliciously reprogram an IMD using RF telemetry or to surreptitiously download a patient history. Similarly, a rogue programmer could also be used to upload corrupt parametric values or fabricated patient histories onto the centralized server, which could adversely affect those health care practitioners relying on the stored data for consideration in forming therapy decisions.
Disabling the operation of a programmer from unauthorized use provides a highly effective physical security solution. However, safeguarding the physical security of programmers must be balanced against ease of use. Programmers are typically used in a clinical or hospital setting shared by numerous individuals, including physicians, nurses and technical staff, and physical safeguards, such as provided with a key switch, can prove inconvenient and unworkable. Similarly, soft safeguards, such as provided through user passwords, can be easily bypassed or compromised through user carelessness or inadvertence. On the other hand, external safeguards transfer the responsibility for physical security to a third party by requiring pre-authorization from a centralized server using a modem or network connection before enabling the programmer. External safeguards are transparent with negligible impact on ease of use, yet always cannot be assured unless the recipient of an unauthorized programmer chooses to use the modem or network connection to obtain pre-authorization and thereby risk detection.
U.S. Pat. No. 6,648,823, issued Nov. 18, 2003 to Thompson and U.S. Pat. No. 6,442,433, issued Aug. 27, 2002 to Linberg both describe a programmer that is interfaced to a remote expert data center. The programmer provides a high speed communications scheme that includes a wireless Internet connection. The expert data center is Web-based and interacts with the IMDs through the programmer to remotely exchange clinically significant information and to effect real time parametric and operational changes. Thompson describes accessing a patient and device information database, identifying devices or components that are out of specification, and notifying a clinician or the patient of out of specification items. Linberg describes remotely diagnosing, maintaining, upgrading, performance tracking, tuning, and adjusting a programmer from a remote location. However, neither Thompson nor Linberg describe providing remote registration of a programmer over a cellular network coupled with the integrated disablement of a programmer if attempts at credentialing fail.
Therefore, there is a need for an approach to providing cellular network-based communication between a programmer and an external system integrated with distributed safeguards to protect programmer physical security. Preferably, such an approach would be maintained on a central database of registered programmers that must be accessed and confirmed as legitimate before enabling the programmer for operations. Such an approach would further be capable of interfacing to a plurality of external systems for collaborative exchanging of data relative to the IMD and patient care.